If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

LDAP probing

So i was reading a magazine (Hackinthebox) an article regarding LDAP and it got me thinking, would it be possible to query an Active directory domain anonymously? After a little search i found that it was not enabled by default in Windows 2003, well actually you can get some info but not much. So if i was logged into the network with a domain account (just basic user level permissions) would i be able to perform an LDAP query requesting password hashes? I'm not at home to try on my test network. If i had to guess i would say that it's not possible to get the hashes but possibly other useful information for a pentester. Anyone know if it is possible to get the password hashes via this method?

What he is really looking for Dinowuff, is for someone to give him the answer on a silver platter, only to find that he needs yet someone else to dish it up and serve.
[/edit]

CTO

Wow, some people here are .... wont finish that. Did you read the article? How about the first post? Because i couldnt find anything in the article useful to this post? I could be wrong (and have been wrong, i'm only human).

Well i'm thinking if i was logged into a domain as just a normal user i could grab the password hashes along with the usernames and use some sort of pass the hash tool to escalate my permission to possibly a domain admin.

If you take a 2003 server CD and install it on a server, follow default prompts and then run the wizards to configure roles, a user with no domain admin rights can capture the hashes.

That being said, with metasploit and a few other tools, you can capture account information over the wire. You will also need a detailed understanding of TCP and http://web.mit.edu/Kerberos/

It is possible to craft a packet wrapper to force information about accounts and passwords to a dmp file. However, using this type of method you would need access to the local dmp file. And a real good understanding of dot net and c sharp. For windows that is.

LDAP. Probably not the what I would use. LDAP will give you this as a regular user